You've heard about the importance of Web application security. You know security is not a product or a one-time status but rather an essential ingredient that has to be baked-in, literally, to the SDLC.
A large part of my security assessment work involves Web security. Based on what I see, there's an obvious justification for sound Web security practices such as those the OWASP Top Ten Project addresses. Regardless of the caliber of your firewall or the fact that you're using SSL, Web security weaknesses are still pervasive across all types of industries. From manufacturing to banking to higher education the same Web application flaws exist across the board. Figure 1 shows the OWASP Top 10-based Web vulnerabilities I've found in my Web security assessment work in the past year alone.
Figure 1 – Percentage of OWASP Top 10 Web vulnerabilities I discovered in my work
As you can see, Cross-site Scripting (XSS) was the most common finding. I found it in 93% of the sites/applications I tested. Broken Authentication and Session Management and Improper Error Handling had a strong showing as well. Not surprisingly, I didn't find a single instance of Insecure Storage in the same timeframe. However, I was surprised to find some exploitable Denial of Service weaknesses – something that's often taken for granted but can certainly put a stranglehold on your business if you don't catch it in time.
I think it's pretty clear that some work still needs to be done with Web security – especially with regard to XSS and the authentication mechanisms sitting in front of many applications. The "old" adage that security is a business issue that must be supported by management if it's going to be successful is worth repeating. No amount of secure coding, agile development, or QA is enough to have secure Web applications. You have to test for security vulnerabilities using good tools and proven ethical hacking techniques over and over and over again – period. And then, of course, you have fix the issues that matter.
Check out this Web Application Security Guide for all you need to know to get started with Web application security and ensure you're on the path to success.
Back to the top
Common software security risks and oversights
Audio Introduction The foundation for solid software security lies in business operations. But, as important as it is, establishing this foundation isn't easy or appealing. This tip outlines four fundamental software security issues that result from a disconnect existing between business and technical operations. You'll also find a list of questions that will help you begin to close this gap and improve the security of your applications.
10 steps to acing Web app security assessments
Audio Introduction The key to a successful Web application security assessment is diligent upfront planning – certainly not an easy task when time is short and resources are tight. However, taking into consideration these ten issues before you dive into that security assessment will help ensure that the project runs smoothly, is thorough and finishes on schedule.
Hack maliciously to boost your software's security
Audio Introduction Web vulnerability scanning tools have their place in an application security assessment, but they are not the be all and end all. Web application testing should consist of automated methods as well as manual hacking attempts. This tip explains the role tools should play in your assessments and the value of malicious hacking.
How to reduce software security, quality flaws with static source code analysis
Audio Introduction Static source code analysis it too often overlooked in software security risk testing and management, even though it's easy to do. Doing it helps testers evaluate every attack surface in a Web application. Beyond that, this process automates tedious manual analysis and can quickly spotlight security flaws and quality issues that others, like penetration testing, miss. Static source code analysis is simply the act of using a scanning tool to analyze source code, whether it's in Java, C# or another development language. While it is primarily used in Web application development, it can be used in various computing scenarios, including client/server or standalone applications. New tools can even extend source code analysis to dynamic, or hybrid, analysis to see what's happening during application runtime.
Using the Firefox Web Developer extension to find security flaws
Spotting rich Internet application security flaws with WebGoat
Audio Introduction You can't trust Web vulnerability scanners to catch the weaknesses in rich Internet applications. Developers, QA analysts and security managers must learn how to identify vulnerabilities in Web services and AJAX applications themselves. This tip introduces WebGoat, an insecure J2EE Web application that is designed to teach Web application security lessons, such as Web service SQL injection and Web service SAX injection.
Back to the top
Fixing four Web 2.0 input validation security mistakes
Audio Introduction Failure to validate your Web application's data input can lead to data loss, denial of service and execution of unauthorized code. Learn about four Web security weaknesses that result from input validation mistakes and how to fix them, including system variables in URLs, invalidated data input fields and unfiltered contact forms.
Commonly-overlooked security flaws in rich Internet applications
Audio Introduction The more complex your Web applications, the more complex and dangerous your Web security vulnerabilities become. This tip describes four common security flaws in rich Internet applications like Flash, Web services and AJAX. Learn about vulnerability scanners and application stress testing tools that can help you uncover these weaknesses.
Web security problems: Five ways to stop login weaknesses
Audio Introduction Authentication mechanisms are meant to prevent unauthorized users from accessing network resources; however, if they're not properly implemented, authentication mechanisms can serve as open doors to the corporate network. This tip reviews five Web authentication vulnerabilities that present significant risks. Software developers, QA and security professionals learn how to stop login weaknesses that range from weak passwords to faulty multifactor authentication lockout mechanisms.
Back to the top
Back to the top
This was first published in August 2009